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Abstract: Wireless sensor networks (WSNs) consist of sensors, gateways and users. 
Sensors are widely distributed to monitor various conditions, such as temperature, 
sound, speed and pressure but they have limited computational ability and energy. To 
reduce the resource use of sensors and enhance the security of WSNs, various user 
authentication protocols have been proposed. In 2011, Yeh et al. first proposed a user 
authentication protocol based on elliptic curve cryptography (ECC) for WSNs. However, 
it turned out that Yeh et a/.'s protocol does not provide mutual authentication, perfect 
forward secrecy, and key agreement between the user and sensor. Later in 2013, 
Shi et al. proposed a new user authentication protocol that improves both security and 
efficiency of Yeh et a/.'s protocol. However, Shi et al.'s improvement introduces other 
security weaknesses. In this paper, we show that Shi et al.'s improved protocol is vulnerable 
to session key attack, stolen smart card attack, and sensor energy exhausting attack. 
In addition, we propose a new, security-enhanced user authentication protocol using ECC 
for WSNs. 

Keywords: authentication protocol; elliptic curves cryptography; wireless sensor network 
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1. Introduction 

Wireless sensor networks (WSNs) provide a feasible real-time monitoring system. Wireless sensors 
can be easily deployed in various environments such as military surveillance, forest fire detection, 
health care and wildlife monitoring. WSNs basically consist of users, sensors and gateways whose 
communication security is a significant concern in real- world applications [1]. Users and gateways 
have sufficient resources to be used in the system, but sensors are different. Sensors have limited 
computational ability, low battery, low bandwidth, and a small amount of memory. Therefore, in WSNs, 
it is important to reduce the use of sensors to extend their lifespans [2-4]. 

Various user authentication protocols have been proposed for securing WSNs while minimizing the 
use of sensors. In 2004, Watro et al. proposed a user authentication protocol employing the RSA and 
Diffie-Hellman algorithms [5]. In 2006, Wong et al. proposed an efficient dynamic user authentication 
protocol using a hash function [6]. However, Tseng et al. demonstrated that Wong et a/.'s authentication 
protocol is vulnerable to stolen- verifier attack, replay attack and forgery attack [7,8]. Later in 2009, 
Das proposed a two-factor user authentication protocol using smart cards. Das showed how to design an 
authentication protocol where only the user who is in possession of both the smart card and the password 
can pass the verification of the gateway [8]. However, several security-related flaws in Das's protocol 
have been disclosed by later studies as summarized below: 

• He et al. demonstrated that Das's protocol is vulnerable to insider attacks and impersonation 
attacks, and that it does not allow users to change their passwords freely. He et al. proposed 
an improved two-factor protocol [9] which can resist insider and impersonation attacks. 

• Khan and Alghathbar showed that Das's protocol fails to provide mutual authentication between 
the gateway and the sensor, and due to this failure, it is not secure against a gateway bypassing 
attack and a privileged-insider attack [10]. 

• Chen et al. also pointed out that Das's protocol does not achieve mutual authentication between the 
gateway and the sensor, and proposed a robust authentication protocol that provides the property 
of mutual authentication [11]. 

In 201 1, Yeh et al. [2] revealed that Chen et a/.'s protocol has difficulty in updating users' passwords 
and is vulnerable to an insider attack. As an improvement of Chen et a/.'s protocol, Yeh et al. presented 
the first user authentication protocol that uses elliptic curve cryptography (ECC) in WSN environments. 
However, Han [12] showed that Yeh et a/.'s protocol has still some security weaknesses: it does not 
provide perfect forward secrecy and fails to achieve mutual authentication and key agreement between 
the user and the sensor. To address these problems with Yeh et a/.'s protocol, Shi et al. [3] have recently 
proposed a new smart-card-based user authentication protocol using ECC for WSNs. Shi et a/.'s protocol 
performs more efficiently, both in terms of computation and communication costs, and provides better 
security than Yeh et a/.'s protocol. However, we found that Shi et a/.'s improvement is not secure enough 
yet and their protocol is susceptible to session key attacks, stolen smart card attacks, and sensor energy 
exhausting attacks. In addition to reporting the security weaknesses, we also show how to enhance the 
security of Shi et a/.'s protocol with no significant increase in communication and computation costs. 
We analyze and verify the security of the proposed protocol using non-monotonic cryptographic logic 
(Rubin logic). 
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Throughout the paper, we make the following assumptions on the capabilities of the probabilistic 
polynomial-time adversary A in order to properly capture security requirements of two-factor 
authentication protocols using smart cards in wireless sensor networks. 

• A has the complete control of all message exchanges between the protocol participants: a user, a 
sensor and the gateway. That is, A can eavesdrop, insert, modify, intercept, and delete messages 
exchanged among the three parties at will. 

• ^4. is able to (1) extract the sensitive information on the smart card of a user through a power 
analysis attack [13,14] or (2) find out the user's password possibly via shoulder-surfing or by 
employing a malicious card reader. However, it is assumed that A is unable to compromise both 
the two factors: the information on the smart card and the password of the user; it is clear that 
there is no way to prevent A from impersonating the user if both factors are compromised. 

2. Overview of Elliptic Curves Cryptography 

In 1985, Neal Koblitz and Victor S. Miller proposed the use of elliptic curves in cryptography. After 
various studies on ECC, it has been widely used since the early 21st century. ECC is a type of public -key 
cryptography and based on the algebraic structure of elliptic curves over finite fields. Elliptic curves are 
also used in several integer factorization algorithms. ECC provides the important benefit of a smaller 
key size, despite which it is able to maintain the same degree of security as other types of public -key 
cryptography, such as RSA, DH and DSA. Therefore, ECC is especially useful for wireless devices, 
which typically have limited CPU capacity, power and network connectivity. Table 1 shows the NIST 
guidelines on choosing key sizes in ECC and other public key cryptography [15]. 



Table 1. ECC key sizes compared with other PKC schemes. 



Security (bits) 


ECC 


RSA/DH/DSA 


MIPS-Years to Attack 


Protection Lifetime 


80 


160 


1,024 


10 12 


until 2010 


112 


224 


2,048 


10 24 


until 2030 


128 


256 


3,072 


10 28 


beyond 2031 


192 


384 


7,680 


10 47 


beyond 2031 


256 


512 


15,360 


10 66 


beyond 2031 



ECC has three related mathematical problems: the Elliptic Curve Discrete Logarithm Problem 
(ECDLP), Elliptic Curve Computational Diffie-Hellman Problem (ECCDHP), and Elliptic Curve 
Decisional Diffie-Hellman Problem (ECDDHP). No polynomial time algorithm can solve the ECDLP, 
ECCDHP and ECDDHP with non-negligible probability. 

Let p > 3 be a large prime and choose two field elements a, b e F p satisfying 4a 3 + 27b 2 ^ 0 mod p 
to define the equation of a non-supersingular elliptic curve E: y 2 = x 3 + ax + b mod p over F p . Choose 
a generator point P = (xP, yP) whose order is a large prime number q over E(F P ). In the same way, a 
subgroup G of the elliptic curve group E(F P ) with order q is constructed. Then, the three mathematical 
problems in ECC are defined at various study [16-18] as follows. 
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• ECDLP: Given a point element Q in G, find an integer x G Z* such that Q = xP, where xP 
indicates that the point P is added to itself x times by the elliptic curves operation. 

• ECCDHP: For a, b e Z* given two point elements aP, bP in G, compute abP in G. 

• ECDDHP: For a, b, c E Z*, given three point elements aP, 6P and cP in G, decide whether 
cP = a&P. 

3. Review of Shi et a/.'s Protocol 

In Shi et a/.'s protocol [3], the gateway is a trusted node that holds two sufficiently large master 
keys, x and y. Before starting the system, the gateway and the sensors share a long-term secret key 
SK G s = h(I D s n \\y) ■ Shi et a/.'s protocol consists of four phases; user registration phase, login phase, 
authentication phase, and password update phase. For convenience, the notations used throughout this 
paper are summarized in Table 2. 



Table 2. Notations. 



Symbol 


Description 


p, q 


Two large prime numbers 


F P 


A finite field 


E 


An elliptic curve defined on finite field Fp with large order 


G 


The group of elliptic curve points on E 


IDu 


The identity of user U 


ID Sn 


The identity of sensor S n 


pw v 


The user C/'s password 


GW 


The gateway of WSN 


x,y 


The master keys of GW 


h(.) 


A secure one-way hash function 




A string concatenation operation 


e 


A bitwise XOR operation 



3.1. Registration Phase 

In this phase, the user U securely submits its identity IDu an d password pw v to the gateway GW. 
Then, GW issues U a smart card containing the user authentication information, as shown in Figure 1 . 

3.2. Login and Authentication Phases 

In the login and authentication phases, when U enters IDu and pwu into a smart card terminal, the 
smart card must validate the legitimacy of U. Then, U, S n and GW authenticate with each other. This 
protocol uses 4 messages (Mi, M 2 , M 3 , M 4 ) for mutual authentication, as described in Figure 2. Lastly, 
U and S n share the session key sk. After the authentication phase, U and S n communicate with each 
other using the session key sk. 
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Figure 1. The registration phase of Shi et a/.'s protocol. 



User (U) Gateway (GW) 



chooses IDu,pwu 

generates a random number bjj 

computes puJjj = h(pwu © bu) 



{IDu^pwjj) 



computes Kjj = h(IDu\\x) x P 

Bu = h(IDu®pwu) 
W v = h{ID u \\pw u )®K u 



smart card (Bu ,Wu ,h(-)) 



inputs bu into the smart card 



Figure 2. The login and authentication phases of Shi et a/.'s protocol. 



User (U) Sensor (5„) Gateway (GW) 



Wu — h(pwu © bu) 

B' u = h(ID u ®pw u ) 

checks B'jj = Bu 

K v = h(ID u \\pw u )®W u 

generates rxj 6 Z* 

X = T V X P 

X' = ru x K v 

a = h(ID u \\X\\X'\\T u ) 



M 1 = (ID u ,X,T u ,a) 



checks T - T v < AT 
generates rs S Z* 
Y = r s xP 
/3 = h(SKas\\IDu\\X\\Tu\\a\\ID s JY\\T s ) 



M 2 = (ID Ut X, T V , «, ID S „ , U T s , /?) 
> 

checks T" - T v < AT 
checks T" - T s < AT 
checks 0 = h^KasWIDuWXWTuWaWIDsJYWTs) 
X' = h(IDu\\x) x X 
checks a = h(ID v \\X\\X'\\Tv) 
7 = HSKasWIDuWXWTuWaWIDsJYWTsWTa) 
5 = h(ID u \\X\\X l \\T u \\Y\\T s ) 

M 3 = (Tq. 7 , 5) 



checks T'" -T G < AT 
checks 7 = h(SKGs\\IDu\\X\\Tv\\a\\ID s JY\\T s \\T G ) 
K S u = r s x X 
r = h(Y\\T s \\S\\Ksv) 
sk = h(X\\Y\\K S u) 

Ah = (Y,T s ,5,t) 



checks T"" - T s < AT 

checks 5 = hilDuWXWX'WTuWIDsJYWTs) 

K us =r v xY 

checks r = h(Y\\T s \\5\\K us ) 

sk = h(X\\Y\\K us ) 
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3.3. Password Update Phase 

In the password update phase, U enters the identity IDy, the old password pwu, and the new password 
pw'jj. Then, the smart card updates the password after first checking the correctness of the old password, 
as shown in Figure 3. 

Figure 3. The password update phase of Shi et a/.'s protocol. 

User (U) 

inserts smart card 
enters IDjj ,pwu,pW(j 
pw u = h(pwu © b v ) 
B[j = h{ID u ®pw u ) 
checks B'jj = By 
K v = h(IDu\\pwu) © Wu 
pw'u = h(pw' v © bu) 
W u = h(ID u \\p^7 u )®K u 
B v = hilDuQpv/u) 
replaces Wu with W v 

4. Security Weaknesses in Shi et a/.'s Protocol 

This section shows that Shi et a/.'s protocol is vulnerable to a session key attack, a stolen smart card 
attack, and a sensor energy exhausting attack. 

4.1. Session Key Attack 

In Shi et al.'s protocol, the user U and the sensor S n have to perform the login and authentication 
phases when they want to share a session key which will be used for protecting their subsequent 
communication. A problem occurs if U shares its session key with an attacker, not with the intended 
sensor S n . In the protocol, the gateway GW and the user U check each other's legitimacy using the 
authenticators a and 5, respectively. However, a and § do not include information about the sensor S n 
with which U intends to establish a session key. The attacker exploits this design flaw in mounting a 
session key attack. The attack is depicted in Figure 4 and its description follows. 

When U inputs IDjj and pw u , and sends Mi to sensor S n , the attacker intercepts Mi and sends it to 
sensor Sa which was previously stolen by the attacker. Upon receiving Mi, the stolen sensor Sa will 
generate the message A 2 and send it to the gateway GW. However, the attacker replaces ID Sn contained 
in A 2 with ID a to make GW believe that IDjj wants to communicate with sensor Sa, not with S n . After 
receiving A 2 , the gateway GW generates A 3 without noticing any discrepancy and sends it to sensor Sa- 
Lastly, the attacker sends the user U the message A 4 generated by Sa using the message A 3 from GW. 
Because there is no information about the sensor S n in A^ and M 4 , the user U undoubtedly shares the 
session key with the attacker while thinking that it has shared the key with the sensor S n . 
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Usert/ 



Figure 4. A session key attack on Shi et a/.'s protocol. 
Session key sk 

«.— ( 3 -L — ! 

Gateway GW 

(2)" 



(4) 




Sensor S„ 

(1) 



(1) 



Attacker 




Stolen sensor 5^ 



® 



(1) Af t = {lD u ,X,T u ,a) ®M 1 = (ID u ,X,T u ,a) 

(2) M 2 = {lD Ul X l T Ul a l lD Sn ,Y l T Si p) ® M 2 = {lD u ,X,T u ,a,ID SA ,Y SA ,T SA , ftj 

(3) M 3 = <T G , y, 5) ® M 3 = (T G , y^, 5 S J 

(4) M 4 = (7, r Sf 5, t) © M 4 = 7^, t s J 

/? = h(SK GS || /D„ II J II Tu II a || ID Sn II 7 II 7 S ) 
Ps A = h(SK SA || /fl„ || X II 7V || a || 7D Sx II y Sx II T S J 

8 = h(io a II x II z' ii t u ii y ii r s ) t = h(y h r s n 8 \\ k us ) 

8 Sa = h(Wu II X || X' || 7^ || ^ || T Sa ) t a = h(Y SA \\ T Sa \\ 8 Sa \\ K UA ) 

y = h{SK GS || ID a II X II Tu II a \\ lD Sn \\ Y \\ T s \\ T G ) 

Ysa = h(SK GA II IDu II X II Tu II a \\ ID Sa \\ Y Sa \\ T Sa \\ T G ) 

K us = ruXY = r s xX s fc = h(X || 7 || K us ) 

Kua = ru* Y Sa = t Sa xX sk A = h(X || Y Sa II K UA ) 



4.2. Stolen Smart Card Attack 

Kocher et al. and Messerges et al. pointed out that the confidential information stored in smart cards 
could be extracted by physically monitoring its power consumption [13,14]. Therefore, it is fair to say 
that if a user loses his or her smart card, all information in the smart card may be revealed to the attacker. 

In Shi et a/.'s protocol, the smart card stores various information for user login and authentication. 
The smart card for the user IDu includes bjj, Bjj, Wy and h(-). Using these information and IDu, an 
attacker can guess U's password pw v . If IDu is used in public communication, the attacker can obtain 
or steal it without difficulty. Figure 5 describes a stolen smart card attack against Shi et a/.'s protocol. 

The attacker can obtain information from the smart card using attacks such as simple power analysis 
(SPA) and differential power analysis (DPA). This information includes bu, B v , Wu and h(-). Recall 
that Bu = h(IDu © h(pwu © bu)). Using Bu as a password verifier, the attacker can easily find out 
the password pwu by mounting an offline password guessing attack (also known as an offline dictionary 
attack) [19-22] if the password pwu is not long enough. After successfully mounting the password 
guessing attack, the attacker can login and authenticate with the sensor S n and the gateway GW using 
the identity ID V and the password pw V - 
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Figure 5. A stolen smart card attack on Shi et al.'s protocol. 

Attacker 

gets IDjj in public communication channel 
gets (steals) user's smart card 

obtains information from smart card using SPA and DPA 
— > gets 6(7, Bjj, Wu and h(-) 

B v = h{ID v ®pwu) 
Wu = h(P w u © bjj) 

-> B v = h(IDu © h(pw v © bu)) 

executes off-line password attack 
— > figures out user's password pwjj 
— > logins to WSNs using IDjj and pwu 

4.3. Sensor Energy Exhausting Attack 

The computational cost of a sensor is a critical consideration in the design of WSNs as it increases 
the consumption of the battery power of the sensor. Often it is economically advantageous to discard 
a sensor rather than recharge it. For this reason, the battery power of a sensor is usually important 
in wireless devices, with its lifetime determining the sensor lifetime. Previous work have suggested 
several types of energy exhausting attacks. Buttyan et al. [23] investigated the reliability of transport 
protocols for WSNs. Brownfield et al. [24] researched the battery depletion effect through the reduction 
of sleep cycles. Khouzani et al. [25,26] investigated malware attacks in battery-constrained wireless 
networks. As shown by the previous researches, WSNs need to eliminate unnecessary computational 
costs of sensors so that the effects of an energy exhausting attack on sensors can be minimized. 

In Shi et a/.'s protocol, the sensor performs various cryptographic operations such as one-way 
hash function evaluations, scalar-point multiplications, random number generations, and map-to-point 
hash function evaluations. Scalar-point multiplications are much more expensive than hash function 
evaluations. The computational costs of generating a random number and evaluating a map-to-point 
hash function are about half the cost of performing a scalar-point multiplication. A sensor consumes a 
large amount of energy to perform a scalar-point multiplication and very little to perform a hash function 
evaluation [27-29]. 

Figure 6 shows the possibility of a sensor energy exhaustion attack. The attacker can keep sending 
malicious messages, A\, A 2 , A 3 , generated to consume the battery power of the sensor. The attacker 
can do so because the sensor only checks the freshness of the timestamp in M%. For each of these fake 
messages, the sensor checks the freshness of the timestamp and proceeds to perform the subsequent 
cryptographic operations, thereby consuming large amounts of energy. Accordingly, it is necessary to 
modify the protocol so that the sensor can check if the message Mi is from a legitimate user, not from 
an imposter. 
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Figure 6. A sensor energy exhausting attack on Shi et a/.'s protocol. 



Attacker 



M 1 = (IDu X,T v ,a)- 



A 1 = <*, 



Tu , *> 



Sensor S n 



checks T' - T u < AT 
generates r s £ T* q 

P = h{SK GS || IDu II X II Tu II a \\ ID Sn \\ Y || r s ) 
M 2 = (iDu.XJu.a.IDs^YJs.p)^ 



After checking only the timestamp Ty , 
the sensor : 



generates a random number 
performs a scalar-point multiplication 
performs a hash function evaluation 



5. The Proposed Protocol 

Like Shi et a/.'s protocol, our proposed protocol is divided into three phases: the user registration 
phase, login and authentication phase, and password update phase. Before the protocol is ever executed, 
the gateway generates two master keys, x and y, and shares a long-term secret key SK GS = h(IDs n \\y) 
with the sensor S n . In describing the protocol, we use the same notations as in Table 2 unless 
stated otherwise. 

5.1. Registration Phase 

For a user U, this phase is performed only once when U registers itself with the gateway GW . 
Figure 7 illustrates how the phase works, and its description follows: 

Figure 7. The registration phase. 



User (17) 



Gateway (GW) 



chooses IDjj,pwu 

generates a random number bjj 

computes pw u = h(pwu ffi bu) 



{IDu^pwjj) 



computes K\j = h(IDu\\x) x P 
A v =pw v ®h{x®y) 
B v = hilDuWpwuWhix ® y)) 
Wu = h{IDu\\pw v ) ® K v 



smart card (Au, Bu, Wu, h(-)) 



inputs bu into the smart card 



(1) The user U chooses its identity IDu an d password pwu freely, generates a random number bu, 
and computes pw v = h(pw v © bu). U sends ID V and pwu to GW via a secure channel. 

(2) The gateway GW computes: 
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K v = h{ID v \\x)xP 

A v = pw u © h(x © y) 

B v = h{ID u \]pw u \\h(x®y)) 

W v = h{IDu\\pwu)®Ku 

Then, GW issues U a smart card loaded with {A v , B v , Wu, h(-)}. 
(3) Lastly, U inputs the random number by into the smart card. 

5.2. Login and Authentication Phase 

This phase is carried out whenever U wants to gain access to the WSN. During the phase, U 
establishes a session key with the sensor S n while being authenticated by the gateway GW. The phase 
proceeds as follows (see also Figure 8): 

Step 1. U inserts its smart card into the card reader and inputs its identity ID V and password pwu- 
Then, the smart card computes: 

Wu = h(P w u © bu) 
B'v = hilDuWpwuWKx^y)) 

and checks if Bu is equal to B' v . If not equal, the smart card aborts the protocol. Otherwise, it 
retrieves the current timestamp Tu, chooses a random number r v E Z*, and computes: 



K v 


= h{IDu\\Wu)®Wu 


X 


= r v x P 


X' 


= ruxKu 


CO 


= h(IDu\\h(ID s Jh(x®y))\\Tv 


a 


= h{IDu\\ID s \\X\\X'\\Tu\\u) 



After the computations, the smart card sends the message M\ = (IDv, ID Sn ,X, Tjj, a, oj) to the 
sensor S n . 

Step 2. Upon receiving M x from U, the sensor S n retrieves the current timestamp T' and verifies the 
freshness of U's timestamp Tu by checking that: 

T -Tu < AT 

where AT is the maximum allowed time difference between Tu and T' . If Tu is not fresh, S n 
rejects U's request and aborts the protocol. Otherwise, S n checks if to is equal to the hash value 
h(IDv\\h(IDs n \\h(x © y))\\Tu). If they are not equal, S n aborts the protocol. Otherwise, S n 
generates a random number rs E Z* retrieves the current timestamp Tg, and computes: 

Y = r s x P 

/3 = h(SK G s\\IDu\\X\\Tu\\a\\u\\ID Sn \\Y\\T s ) 
Then, S n sends the message M 2 = (IDv, X, Tu, a, oj, ID Sn ,Y, T s , (5) to the gateway GW. 
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Figure 8. The login and authentication phase. 



User (U) Sensor (S n ) Gateway (GW) 



pw v = h(pwu © bu) 

h(x @y)= pw v © A v 

B' u = h(ID u \\pw u \\h(x®y)) 

checks B'jj = Bu 

Kjj = h(ID u \\pw u )®W u 

generates rjj G Z* 

retrieves U's timestamp Tjj 

X =r v x P 

X I = ru x K v 

u = h(ID u \\h(ID Sn \\h(x®y))\\T u ) 
a = h(ID u \\ID Sn \\X\\X'\\T u \\cj) 

Ah = (ID Ut ID Sn ,X,Tu,a,u) 
> 



checks T' -T v < AT 
checks uj = h(IDu\\h(ID Sn \\h(x © y))\\T v ) 
generates rj G Z* 
retrieves S n 's timestamp Ts 
Y = r s x P 
f3 = hiSKasWlDuWXWTuWaMlDsjYWTs) 



M 2 = (IDtj, X, T v , a, uj, ID Sn ,Y, T s , (3) 
> 

checks T" —Ts< AT 
checks = h{SK G s\\IDu\\X\\Tu\\a\\uj\\ID Sn \\Y\\T s ) 

X' = h(IDu\\x) x X 
checks a = h{IDu\\ID Srl \\X\\X'\\Tu\\Lu) 
retrieves GT^'s timestamp Tq 

7 = /i(5^Gsl|/£>ull^l|ru||a||/£> s „||y||r s ||r G ) 

5 = h(lD v \\X\\X%Tu\\lD s jY\Ts) 
M 3 = (T G , 7 ,5) 



checks T'" - T G < AT 
checks 7 = M^Gs||^£/||^l|T£/||a||I-DsJ|r||T s ||T G ) 
= x X 
retrieves rs's new timestamp T' s 

t = h(Y\\T' s \\6\\K S u) 

sk = h(X\\Y\\K S u) 

M± = {Y,T s ,T' s ,5,t) 



checks T"" —T' s < AT 



checks 5 = h{IDu\\X\\X'\\Tu\\ID Sri \\Y\\Ts) 

Ktjs =ru x y 

checks r = /i(y||T^||(5j|AVs) 

sfc = h{X\\Y\\K us ) 
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Step 3. After receiving M 2 , GW retrieves the current timestamp T" and verifies the freshness of 
the timestamp T s by checking that T" - T s < AT. If T s is not fresh, GW aborts 
the protocol. Otherwise, GW computes X' = h(IDu\\x) x X and checks if a equals 
h(IDu\\ID s jX\\X'\\Tu\\uj) and 0 equals h(SK GS \\IDu\\X\\Tu\\a\\uj\\IDsjY\\T s ). If either 
of the checks fails, GW aborts the protocol. Otherwise, GW retrieves the current timestamp T G 
and computes: 

7 = h{SK GS \ID v \X\\T v \a\ID Sn \Y\T s \\T G ) 
S = h{IDu\\X\\X'\\Tu\\ID s \\Y\\T s ) 

Then, GW sends M 3 = (T G , 7, 5) to the sensor S n . 

Step 4. Having received M 3 , retrieves the current timestamp T'" and checks if T'" — T G < AT and 
7 = ^^Gsll/Di/llXllTi/llall/Ds^llyilTsliro). Only if both the checks hold, S n retrieves the 
new timestamp T' s and computes: 

K S u = r s x X 

r = h(Y\\T' s \\5\\K su ) 
sk = h(X\\Y\\K su ) 

Then, S n sends M 4 = (Y, T s , T^, 5, r) to the user C/. 

Step 5. With M 4 in hand, U retrieves the current timestamp T"", computes Kus = r u x Y, and checks 
if(l)T""-T' s < AT; (2) 5 = hilDuWXWX'WTuWlD^WYWTs); and (3) r = /i(F||T^||5||^ 5 ). 
If any of the checks fail, C/ aborts the protocol. Otherwise, {7 computes: 

5.5. Password Update Phase 

Our protocol allows users to freely update their passwords. The password update phase works as 
follows (see also Figure 9): 

1. The user U inserts its smart card into a smart card reader and enters the identity ID V , the old 
password pw v , and the new password pw' v . 

2. The smart card computes pWjj = h(pwjj © b v ), h(x © y) — A v © pw u , and B' v = h(IDjj\\ 
pwjj\\h(x®y)) and checks if B' is equal to B. If they are not the same, the password update phase 
stops. Otherwise, the smart card computes: 

K v = W u @h{ID u \\pw u ) 

pw'jj = hipw'u © bu) 

A'u = pw i u @h(x@y) 

B'u = h(ID u \\ P W u \\h(x®y)) 

W'u = hilDuWpW^OKu 

and replaces A v , B v and W v with A'u, B'u and W'u, respectively. 
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Figure 9. The password update phase. 

User (17) 

inserts smart card 

enters IDu,pwjj,pw u 

pWjj = h(pwu © bjj) 

B' u = h(ID u \\pw u \\h(x®y)) 

checks B'jj — Bjj 

Ku = h(ID u \\pw u )®W u 

h(x®y) = A v ®pwu 

pw'u = h(pw v ® bu) 

A'u = pw'u © h(x © y) 

B' u = h(ID u \\'^w 7 u \\h(x(By)) 

W' u = h(ID u \\pHS u )®K u 

replaces Ay, By, Wv with A' v , B' v , W v 

6. Performance Comparison 

Table 3 compares our improved protocol with Yeh et al.'s protocol [2] and Shi et al.'s protocol [3] 
in terms of the computational costs required by the protocols. The efficiency comparison is based on 
theoretical analysis and experimental results [3,27-29]. 



Table 3. Efficiency comparison. 



Protocol 




Computational Cost 




User 


Sensor 


Gateway 


Yeh et a/.'s protocol 


2M + 1R + IA + AH 


2M + 1R + 1A + IP + 1H 


3M + 1R + IP + 1H 


Shi et a/.'s protocol 


3M + 5H 


2M + m 


IM + AH 


Our protocol 


3M + 7H 


2M + AH 


IM + 4H 



Notations used in Table 3 are described as follows: 

M scalar-point multiplication 

R random point generation 

A point addition 

P map-to-point hash function evaluation 

H hash function evaluation 

The computational costs of generating a random point and evaluating a map-to-point hash function 
are about half the cost of performing a scalar-point multiplication. Hash function evaluations and point 
addition operations are often ignored in cost estimates since they are much faster than scalar-point 
multiplications. If we ignore hash function evaluations, the computational costs described in Table 3 
can be estimated as in Table 4. 
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Table 4. Estimated efficiency comparison. 



Protocol 



Computational Cost 
User Sensor Gateway 



Yeh et al.'s protocol 2.5M 
Shi et al.'s protocol 3M 
Our protocol 3M 



3M 
2M 
2M 



3M 
1M 
1M 



As shown in Tables 3 and 4, our proposed protocol and Shi et al.'s protocol are more efficient than 
Yeh et al.'s protocol, in terms of the computational costs of the sensor and the gateway. In WSNs, it 
is important to minimize the energy consumption of the sensor node. In this sense, it is fair to say 
that our protocol and Shi et al.'s protocol are better suited for WSNs than Yeh et al.'s protocol. The 
performance of our proposed protocol is similar to that of Shi et al.'s protocol. But, as we demonstrated in 
Section 4, Shi et al.'s protocol is vulnerable to a session key attack, a stolen smart card attack, and a 
sensor energy exhausting attack. Consequently, we can say that our protocol enhances the security of 
Shi et al.'s protocol while maintaining the efficiency of the protocol. 

7. Security Analysis and Verification 

In this section, we first provide a heuristic security analysis for the proposed protocol and then 
formally verify the security analysis by using Rubin logic. 

7.1. Heuristic Security Analysis 

7.1.1. Stolen- Verifier Attack 

In WSNs, an attacker may attempt to mount a stolen-verifier attack if the gateway stores a password 
verifier [30] and then, impersonate a legal user using the verifier stolen from the gateway. However, in 
our protocol, the gateway does not store a password verifier of any kind but stores only the master secret 
keys x and y which are used in computing: 

SK GS = h(ID Sn \\y) 
X' = h(IDjj\\x) x X 

7.1.2. Insider Attack 

An insider attack occurs when the gateway manager or system administrator can access a user's secret 
(e.g., user password) and then impersonate the user. However, in our protocol, the user U does not send 
a plain password to the gateway, but sends only the password-derived hash value pw u = h(pwu © by). 
Since bu is a sufficiently high-entropy random number, the gateway cannot learn the password pwu from 
the hash value pw u . In addition, the gateway does not manage any table for storing user passwords 
or their verifiers (e.g., an ID/password table) Therefore, an insider attack is not possible against 
our protocol. 
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7.1.3. Replay Attack 

In our protocol, each of the protocol messages (Mi, M 2 , M 3 and M 4 ) accompanies at least one of the 
authenticators (a, (5, 7, 5, r and uf) which are generated using a timestamp {T v , T s , T' s or T G ) as part of 
the hash input. The protocol participants (U, S n and GW) verify the authenticity of incoming messages 
by checking the freshness of the timestamps and the legitimacy of the authenticators. But, an attacker 
cannot compute any of the authenticators for a fresh timestamp without knowing an appropriate secret. 
Therefore, our proposed protocol is secure against replay attacks. 

7.1.4. Man-in-the-Middle Attack 

It is impossible for an attacker to mount a man-in-the-middle attack against our proposed protocol. 
In a typical man-in-the-middle attack, an attacker intercepts the messages being exchanged between the 
communicating parties and instead, sends arbitrary messages for its own benefit impersonating one of 
them to the other. But, our protocol allow the parties to authenticate all the protocol messages with the 
authenticators a, f3, 7, 5, r and u, and therefore, is secure against man-in-the-middle attacks. 

7.1.5. Gateway Impersonation Attack 

An attacker cannot impersonate the gateway because it cannot forge the message: 

To generate 7 or 5, one needs to know either SKqs or h(IDu\\x). However, h(IDu\\x) is the secret 
shared only between the user and the gateway while SKqs is the secret shared between the sensor and 
the gateway. Therefore, it is impossible for an attacker to mount a gateway impersonation attack. 

7.1.6. User Impersonation Attack 

It is impossible for an attacker to impersonate the user as it cannot forge the message: 

M 1 = (ID u ,ID Sn ,X,T u ,a,u) 

The attacker should know X' to compute a and should know h(x®y) to compute u. But, the attacker 
knows neither X' nor h(x © y) and therefore, cannot mount a user impersonation attack. 

7.1.7. Sensor Impersonation Attack 

An attacker cannot impersonate the sensor because it can forge the messages M 2 = 
(IDu, X, T v , a, 00, ID Sn , Y, T s , f$) and M 4 = (Y, T s , T' s , 5, r). The attacker cannot compute /3 without 
knowing SK G s and cannot compute 5 without knowing the secret h(IDu\\x). But, the attacker knows 
neither SK GS nor x and therefore, cannot mount a sensor impersonation attack. 
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7.1.8. Mutual Authentication 

Mutual authentication is an important security property that an authentication protocol should 
achieve [31,32]. Our proposed protocol provides mutual authentication among the three parties: the 
user, the sensor and the gateway. 

• The gateway authenticates the user using a in M 2 . 

• The gateway authenticates the sensor using (3 in M 2 . 

• The sensor authenticates the gateway using 7 in M 3 . 

• The user authenticates the gateway using 8 in M4. 

• The user and the sensor authenticate each other via 5 from the gateway. 

This means that our protocol achieves mutual authentication. 

7.1.9. Perfect Forward Secrecy 

Perfect forward secrecy means that a session key derived from a set of long-term keys will not be 
compromised even if one of the long-term keys is compromised in the future. The proposed protocol 
uses the session key sk = h(X\\Y\\rs X X) for the sensor and sk = h(X\\Y\\ru x Y) for the user. Even 
though h(IDu\\x) and x are compromised, an attacker cannot know r v or r s . Under the assumption 
that the ECCDHP problem is hard, the attacker cannot compute rs from rs x X and ru from rjj x Y . 
Therefore, our protocol provides perfect forward secrecy. 

7.1.10. Key Agreement 

The proposed protocol provides key agreement between the user and the sensor. To the session-key 
computation, the user contributes its random number r v while the sensor contributes its random number 
rs- It is straightforward to verify that Ksu and K us are equal: 

Ksu = r s x X = r s x r v x P 
K us = r v xY = r v x r s x P 

Since Ksu = Kus, it is clear that the user and the sensor compute session keys of the same value: 

sk = h(X\\Y\\Kus) 

= h{X\\Y\\K S u) 

7.1.11. Session Key Attack 
In our protocol: 

• a is combined with two identities ID V and ID Sn , which indicates that the user U wants to 
communicate with the sensor S n , 

• S is also combined with ID V and ID S „, which indicates that the gateway has authenticated both 
the user IDjj and the sensor IDs n - 

But, no attacker can compute a and 5, and therefore, can share a session key with the user. 
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7.1.12. Stolen Smart Card Attack 

In Shi et a/.'s protocol, the attacker can obtain bjj and By from the smart card and thus can use 
B v = h(IDu © h{pwu © &£/)) as the password verifier in its offline dictionary attack. However, in our 
protocol, By is computed as By = h^IDu^pw^h^Qy)). Even if the attacker obtains bu and Bu from 
the smart card, it cannot use B v as a password verifier since it does not know the hash value h[x © y). 
Therefore, no attacker can mount an offline dictionary attack against our protocol. 

7.1.13. Sensor Energy Exhausting Attack 

In Shi et a/.'s protocol, the sensor has to generate a random number and execute a scalar-point 
multiplication whenever it receives the message Mi from the user. Random number generations and 
scalar-point multiplications are expensive and exhaust a large amount of the sensor's energy. This makes 
Shi et a/.'s protocol vulnerable to a sensor energy exhausting attack. However, in our protocol, the sensor 
first checks the validity of to = h(ID u \\h(ID Sn \\h(x © y))\\Tu) before generating a random number and 
performing a scalar-point multiplication. Checking the validity of cu only requires one hash function 
evaluation. Therefore, our proposed protocol is secure against a sensor energy exhausting attack. 

Table 5 summarizes and compares the security of our protocol, Yeh et a/.'s protocol, and 
Shi et a/.'s protocol. 



Table 5. Security comparison. 



Attack and Security Property 


Yeh et a/.'s Protocol 


Shi et a/.'s Protocol 


Our Protocol 


Stolen- verifier attack 


Secure 


Secure 


Secure 


Insider attack 


Secure 


Secure 


Secure 


Replay attack 


Secure 


Secure 


Secure 


Man-in-the-middle attack 


Secure 


Secure 


Secure 


Gateway impersonation attack 


Secure 


Secure 


Secure 


User impersonation attack 


Secure 


Secure 


Secure 


Sensor impersonation attack 


Insecure 


Secure 


Secure 


Mutual authentication 


No 


Yes 


Yes 


Perfect forward secrecy 


No 


Yes 


Yes 


Key agreement between user and sensor 


No 


Yes 


Yes 


Session key attack 


Insecure 


Insecure 


Secure 


Stolen smart card attack 


Insecure 


Insecure 


Secure 


Sensor energy exhausting attack 


Insecure 


Insecure 


Secure 



7.2. Rubin Logic Verification 

We analyze the proposed protocol using Rubin logic which can be applicable in analyzing an 
authentication protocol. Rubin logic integrates protocol analysis with specification and uses the notions 
of global sets, local sets, and actions. As the protocol run is progressed, the possession and belief sets 
(specified by local sets) are modified for each principal by inference rules (specified by global sets) and 



Sensors 2014, 14 



10098 



actions [33,34]. As the possession and belief sets are modified, secret set and observers sets (specified 
by global sets) are modified as well. 

Global Sets. The first step of the specification of any protocol using Rubin logic is to instantiate the 
global sets with values. Global sets are public to each principal in a protocol specification. 

• Principal Set: This set contains the principals who participate in a protocol. 

• Rule Set: This set contains inference rules for deriving new statements from existing assertions. 

• Secret Set: This set contains all of the secrets that exist at any given time in the system. 

• Observers Sets: For each secret, its set contains all the principals who could possibly know 
the secret by listening to network traffic or generating it themselves. 

Local Sets. Local sets are private to each principal in a protocol specification [35]. For each principal, 
Pi, Rubin logic defines the following sets: 

• Possession Set(Pj): This set contains all the data relevant to security that this principal 
knows or possesses. We denote this set by POSS(P) = (poss 1: poss 2 , ■ ■ ■ ,poss n ). 

• Belief Set(Pj): This set contains all the beliefs hold by a principal. For example, the 
keys it holds between itself and other principals, beliefs about jurisdiction, beliefs about 
freshness, and beliefs about the possessions of other principals. We denote this set by 
BEL(P) = (beh,bel 2 ,--- ,bel n ). 

• Behavior List(P): This item is a list rather than a set because the elements are ordered. 
BL (Pi) = Behavior List of P*. 

Actions. Rubin logic defines actions for dealing with the knowledge in a protocol [36]. The action lists 
that precede and follow message operations in a principal's behavior list determine a sequence of 
events performed by the principal during a protocol run. We use the following actions: 

• Generate-nonce(iV) 

• Send(P,X) 

• Receive (P, X) 

• Update(X) 

• Forget(X) 

• Concat(Xi, X 2 , ■ ■ ■ , X n ) 

• XOR(X 1 ,X 2 ,-- ,X n ) 

• Check^, X 2 ,-.. ,X n ) 

• Scalar-multiplication (Xi, X 2 , • • • , X n ) 

• Uash{h{-);X 1 ,X 2 ,--- ,X n ) 

• Check- freshness (T) 

Here, Concat(Xi, X 2 , ■ ■ ■ , X n ) is the action that concatenates the submessages Xi, X 2 , ■ ■ ■ , X n . 

7.2.1. Protocol Specification 

Notations used for the protocol specification is the same as those in Table 2. Phases 1, 2 and 3 
represent the registration phase, the login and authentication phase, and the password updated phase. 
The global and local sets for the protocol are specified as follows: 
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Global Sets. The global sets are specified as follows: 

• Principal set: A principal is one of U, S n and GW. U is the protocol initiator. 

• Rule set: 

- X contains Y: Y appears as a submessage of X. 

- S :=<- f(S): S is replaced by the value f(S). 

- X from E: X is received from E. 

- LINK(iV): LINK is used to link responses to challenges. When a principal generates 
a nonce, N, the formula LINK(iV) is added to the belief set of the principal. 

• Secret Set: {pw v , b v , x, y, h(x@y), SK GS } 

• Observers Sets: 

- Ob servers (pwjj) '■ {U} 

- Observers (bu ) : {U} 

- Observers(x) : {GW 7 } 

- Observers(y) : {GW 7 } 

- Observers(/i(x © y)) : {S n , GW} 

- Observers(SK GS ) : {S n , GW} 

Local Sets. : The local sets are defined for each U, S n and GW. Tables 6-8 show the specification of 
the local sets for U, S n and GW, respectively. 



Table 6. Local sets specification for principal U. 



Principal U 



POSS(C/) = {pw v , bu, {IDu}} 
BEL([/) = {JtCpu;^), Kbu)} 
BL(U) 

Phase 1 

(Ul) pWu <- Hash(/i(-); XORipwjj, b v )) 
(U2) Send(GW, {IDu, pw v }) 
(U3) Update(77>y, Wu) 
(U4) Receive(GW, {A v , B v , W v , h(-)}) 
Phase 2 

(U5) pwu <~ Hash(ft(-); XORljJWy, b v )) 

(U6) h(x®y) <- XOR(p%, A v ) 

(U7) B'jj <- Hash(/i(-); Concat(77V, pw v , h(x®y))) 

(U8) Check(£V, B v ) 

(U9) K v <- XOR(Hash(/i(0; Concat(IDu, W v ) 

(U10) Generate-nonce(ry) 

(Ull) X <- Scalar-multiplication(r;7, P) 

(U12) X' <- Scalar-multiplicationfYy, K v ) 

(U13) w <- 

Hash(/i(-); Concat(77>y, Hash(M-);77> s „, h(x@y)\ T v )) 
(U14) a 4- Hash(/j(-); Concat(77Ja,77J Sn ,X,X',Ti7,a;)) 
(U15) Send(5„, {77>y, /-Ds n , X, T v , a, uj}) 



(U16) Update(77>y, 7D Sn , X, Ty, a, w) 
(U17) Receive(5 n , {Y, T 5 , S, r}) 
(U18) Check-freshness(T's) 
(U19) Check 

(5, Hash(/i(-); Contat(77) c/ ,X,X / ,T C ;,7D Sn ,F,Ts))) 
(U20) TCys «- Scalar-multiplication(ry, Y) 
(U21) Check(r, Hash(ft(-); Contat(Y, T' s , S, K us ))) 
(U22) sk <- Hash(/i(-); Contat(X, Y, K us )) 
Phase 3 

(U23) pwu <~ Hash(/i(-); XORCpwy, 6y)) 

(U24) <- Hash(/i(-); Concat(7£>y, p%, h{x®y)) 

(U25) Check(B'y, 7%) 

(U26) TiTy <- XOR(Hash(/i(); Concat(Z7>y, pw v )), W v ) 

(U27) /i(ac8y) <- XOR(pi%, Ay) 

(U28) ^i/y^ Hash(ft(0; XOR(pwV. Ay)) 

(U29) A'y <- XOR(p/Jy, /i(a;®y)) 

(U30) BV <- Hash(/i(-); Concat(77>y, p^V, 

(U31) WV <- XOR(Hash(/i(-); Concat(77>y, pu7 v )), K v ) 

(U32) Ay 4- A'y 

(U33) By «- B'y 

(U34) Wu <- WV 
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Table 7. Local sets specification for principal S, 



Principal 5, 



POSS(5„) = |S'K r c, h(x®v), {IDa I) 


(SN7) 


BEL(S„) = ItKS'ifr^) tt(/ifx®?/))i 


Send(GW, {ID V , X, T v , a, lo, ID Sn , Y, T s , fi}) 


BL(S„) 


(SN8) UpdateCTDj/, X, T v , a, lo, ID Sn , Y, T s , P) 


Phase 2 


(SN9) Receive(GW, {T G , 7, 5}) 


(SN1) Received, {ID V , ID Sn , X, T v , a, lo}) 


(SN10) Check-freshness(T G ) 


(SN2) Check-freshness(TV) 


(SN11) Check 


(SN3) Check 


( 7) Hash(/i(-);Concat(5 J ftr GS ,7D [/) X,T [/ ,aJ£»s n ,y,7 , s ,T G ))) 


(w, Hash(/i(-);Concat(/£> c/ ,Hash(/i(-);/£>s n ,/i(a;e2/)),T !7 ))) 


(SN12) «- Scalar-multiplication(r s , X) 


(SN4) Generate-nonce(rs) 


(SN13) r <- Hash(/i(-); Concat(F, T' S) S, K su )) 


(SN5) y «- Scalar-multiplication(r s , P) 


(SN14) sfc <- Hash(/i(-); Contat(X, F, if 5(7 )) 


(SN6) P <- Hash 


(SN15) Send((7, {V, T s , T' 5 , 5, r}) 


(ft(-); Concat(5X GS , ID V , X, T v , a, lo, ID Sn , Y, T s )) 


(SN16) Update(F, T S) T' s , 5, r) 



Table 8. Local sets specification for principal GW. 



Principal GW 



POSS(GW) = {x, y, h{x®y), SK GS } 


Phase 2 


BEL(GW) = {jj(x), (t(y), tl(fc(xey)), tt(5if G s)} 


(GW9) Receive(5„, {ID V , X, T v , a, lo, ID Sn , Y, T s , /?}) 


BL(GW) 


(GW10) Check-freshness(T 5 ) 


Phase 1 


(GW 11) Check 


(GW1) Received([/, {ID U7 p%}) 


0, Hash(/i(-);Concat(5^ GS JD c/ ,X,T [/ ,a,a;,7 J Ds ti ,y,T s ))) 


(GW2) A"t/ <- 


(GW12) 


Scalar-multiplication(Hash(/i(-); Concat(IDu, x)), P) 


X' «- Scalar-multiplication(Hash(/i(-); Concat(/£>c/, x)), X) 


(GW3) Ay <- XOR(p%, K x ®y)) 


(GW13) 


(GW4) By <- Hash(/i(-); ConcatC-TDt/, P[/, /i^Sy))) 


Check(a, Hash(/i(-); Concat(/ J D [/ , /U s „, X, X', T^, w))) 


(GW5) 


(GW14) 7 <- 


Wt/ <- XOR(Hash(/i(-); ConcatCTDj/, p^,)), J^) 


Hash(ft(-);Concat(S , A' GS) /£) i 7 ) X ) T U) a ) /Ds n) y ) Ts ) T G )) 


(GW6) Send(C/, {A^, B v , W v , h(-)}) 


(GW15) 5 <- Kd&h{h{-)\Con\3X{ID u ,X,X',TuJD Sn ,Y,Ts)) 


(GW7) Update^, B v , W v , h(-)) 


(GW16) Send(S„, {T G , 7, «5}) 


(GW8) ForgetC/ZV, P%, A u, B Ut K Ut W v ) 


(GW17)Update(T G , 7, 5) 



7.2.2. Analysis and Verification 

In phase 1, U initiates the protocol, and then the actions in BL(£7) are performed. Firstly, (U1)-(U3) 
actions in Bh(U) are performed, which represent that U sends ID V and pw v to GW for registration. 
Next, (GW1)-(GW8) actions in BL(GW) are performed to generate A v , B v , K v and Wu, and to send 
them to U. By (GW8), GW deletes ID V , pw v , A u, B v , K v and W v from POSS(GW) and BEL(GW). 
Lastly, the (U4) action in BL(£7) is executed, then phase 1 is finished. Due to the (GW8) forget action, the 
local sets of GW are not changed. However, the local sets of principal U are changed as described below. 

• POSS(10 = {pw v , b v , Wu, {ID V }, {Au, B v , W v , h(-)} from GW} 

• Bm,{U)^{^pw u )^{b u )A{Wu)} 
Accordingly, the global sets are modified as follows: 
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• Secret set: {pw v , bu,pw v , x, y, SK GS , h(x © y)} 

• Observers sets: 

- Ob servers {pwjj): {U} 

In the (U5)-(U8) actions in BL(£7) of phase 2, the smart card authenticates U, who inputs ID V and 
pwu, by checking whether B v and B'jj are same or not. Next, the (U9)-(U15) actions are executed to 
generate the protocol values X, X' , h(x © y), u>, a and r v . After the (U16) update action, the local sets 
of U are changed as follows: 

• POSS(C/) = {ID Sn ,pw u ,b u ,pw u ,X,X',h(x®y),T u ,a,uj,r u ,{ID u }} 

. BEL([/) = {$(pwu), $(bu), $( ru ), ttPO, UK* © !/))> tt(^), LINK(r {7 )} 

Then, the global sets are modified as follows: 

• Secret set: {pw v , bu.pwy, x, y, X', SK GS , h(x © y)} 

• Observers sets: 

- Observers(X') : {U} 

- Observers © y)) : {U} 

After the (U5)-(U16) actions are finished, S n starts the actions in BL(5' n ) with the incoming message 
Mi from U. The (SN1)-(SN3) actions in BL(S n ) are performed to verify the correctness of message 
Mi. If the check succeeds, the (SN4)-(SN8) actions are performed to make the values Y, f3 and r s , and 
to send the message M 2 . The local sets of S n are changed as follows. 

• POSS^) = {Y, T s , r s , (3, SK GS , h(x © y), {ID S J, {ID V , X, T v , a, u} from U} 

• BEL(S' n ) = {tt(r s ), $(SK GS ), $(h(x © y)), $(T S ), LINK(r s )} 

In this case, the global sets remain unchanged and thus, the secret set is the same as above: 

• Secret set: {pwu^bu^pwu^x^y^X 1 ',SK GS ,h(x ©y)} 

After (SN1)-(SN8) actions of BL(S n ) are finished, (GW9)-(GW17) actions of BL(GW) are executed. 
(GW9)-(GW13) actions check the timestamp of S n , and then verify the legitimacy of U and S n . If they 
are correct, (GW14)-(GW17) actions of BL(5' n ) are executed to make values(7, 5) for authentication 
and send message. 7 is used for authentication with S n and 5 is used for authentication with U. 

After the (SN1)-(SN8) actions are done, the (GW9)-(GW13) actions in BL(GW) are performed 
to check the legitimacy of U and S n . If the verification succeeds, the (GW14)-(GW17) actions are 
performed to generate 7 and 5 and to send the message M 3 to S n . The local sets of GW are modified as 
shown below. 

• POSS(GW) = {T G , 7, 6, x, y, X', SK GS , h(x © y), {ID V , X, T v , a, u>, ID Sn , Y, T s , (3} from S n } 
. BEL(GW) = {JJ(x), M, l(X% KSK GS ), KM* © y)), tt(T 0 )} 

The global sets are updated as follows: 

• Secret set: {pwu^bu^pwjj^x^y^X 1 ',SK GS ,h(x © y)} 
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• Observers sets: 

- Observers(X') = {GW} 

After the (GW9)-(GW17) actions are finished, the (SN9)-(SN1 1) actions in BL(S' n ) are conducted to 
verify the legitimacy of GW and U via the authenticator 7. If the verification process is completed, the 
(SN12)-(SN16) actions are performed to generate r and sk from r s , K su , X and Y, and to send the 
message M 4 to U. The local sets of S n is updated as follows: 

• POSS^) = {Y, T' s , K su , r s , r, sk, SK GS , {W Sn }, {T G , 7, 5} from GW} 

• BEL(S n ) = {%(Ksu)A(sk)A(SK GS )A(T s )MNK (r s )} 

Accordingly, the global sets are modified as follows: 

• Secret set: {pw u ,b u ,^ u ,x,y,Ksu,sk,X',SK GS ,h(x®y)} 

• Observers sets: 

- Observers(fCs[/) = {S n } 

- Observers (sk) = {S n } 

The (U17)-(U19) actions in BL(U) are to check the legitimacy of GW and S n while the (U20)-(U22) 
actions are to generate the session key sk from r v , K us , X and Y. So, the conditions for the linkage 
rule are satisfied. 

• POSS(f/) = {K us , sk, {IDu}, [Y, T' s , 5, r} from S n } 

• BEL(C/) = U(Kus), tt(X'), Ksk), UK* © v)) 

• Secret set: {pwu,bu,pwu, x ,y, K su, K us , sk, X' , SK GS , (x © y)} 

• Observers sets: 

- 0bservers(K C /5) = {U} 

- Observers (s k) — {U} 

In phase 3, U changes its password and updates A v , Bjj and Wu stored in the smart card. In this 
phase, the local sets of U and the global sets remain unchanged. 
The following shows the final version of the global sets. 

• Secret set: {pwu,bu,pwu, x ,y, K su,K us ,sk,X',SK G s,h(x ©y)} 

• Observers sets: 

- Ob servers (pwu) '■ {U} 

- Observers (6(7 ) : {U} 

- Ob servers (pw^) : {U} 

- Observers(rr) : {GW} 

- Observers(y) : {GW} 

- Observers(i^ S u) ■ {S n } 

- Observers(K us ) : {U} 

- Observers (s k) : {U, S n } 
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- Observers(X') : {U, GW} 

- 0bservers(Sfr G5 ) : {S n , GW} 

- Observers(/i(:r © y)) : {U,S n ,GW} 

This result implies that: 

• pwjj, bu and pw v are known only to the user U. 

• x and y are known only to the gateway GW. 

• The long-term key SK GS shared between S n and GW is not exposed. 

• X' is only known to U and GW. 

• Kjjs and K S u are only available to U and S n . 

• The session key sk is securely shared between U and S n . 

• h(x © y) is only known to the authorized principals: U, S n and GW. 

• U, S n and GW are mutually authenticated during the protocol execution. 

This verifies the security claims we made in the previous subsection. 
8. Conclusions 

In this paper, we have identified that Shi et al.'s ECC-based authentication protocol designed for 
wireless sensor networks (WSNs) is vulnerable to: a session key attack, a stolen smart card attack, and a 
sensor energy exhausting attack. We have also proposed a new authentication protocol that addresses the 
identified security weaknesses. Our proposed protocol is as efficient as Shi et al.'s protocol and is better 
suited for WSNs than Yeh et al.'s protocol, the predecessor of Shi et a/.'s protocol. As for the security 
of the proposed protocol, we have provided a heuristic analysis and formally verified the analysis using 
Rubin logic. 
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